<p>Using command line arguments is security-sensitive. It has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7281">CVE-2018-7281</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326">CVE-2018-12326</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3198">CVE-2011-3198</a> </li>
</ul>
<p>Command line arguments can be dangerous just like any other user input. They should never be used without being first validated and sanitized.</p>
<p>Remember also that any user can retrieve the list of processes running on a system, which makes the arguments provided to them visible. Thus
passing sensitive information via command line arguments should be considered as insecure.</p>
<p>This rule raises an issue when on every program entry points (<code>main</code> methods) when command line arguments are used. The goal is to guide
security code reviews.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> any of the command line arguments are used without being sanitized first. </li>
  <li> your application accepts sensitive information via command line arguments. </li>
</ul>
<p>If you answered yes to any of these questions you are at risk.</p>
<h2>Recommended Secure Coding Practices</h2>
<p><a href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitize</a> all command line arguments before using them.</p>
<p>Any user or application can list running processes and see the command line arguments they were started with. There are safer ways of providing
sensitive information to an application than exposing them in the command line. It is common to write them on the process' standard input, or give the
path to a file containing the information.</p>
<h2>Sensitive Code Example</h2>
<p>This rule raises an issue as soon as there is a reference to argv, be it for direct use or via a CLI library like JCommander, GetOpt or Apache
CLI.</p>
<pre>
public class Main {
  public static void main (String[] argv) {
    String option = argv[0]; &nbsp;// Sensitive: check how the argument is used
  }
}
</pre>
<pre>
// === JCommander ===
import&nbsp;com.beust.jcommander.*;

public class Main {
  public static void main (String[] argv) {
    Main main = new Main();
    JCommander.newBuilder()
      .addObject(main)
      .build()
      .parse(argv); // Sensitive
    main.run();
  }
}
</pre>
<pre>
// === GNU Getopt ===
import gnu.getopt.Getopt;

public class Main {
  public static void main (String[] argv) {
    Getopt g = new Getopt("myprog", argv, "ab"); // Sensitive
  }
}
</pre>
<pre>
// === Apache CLI ===
import org.apache.commons.cli.*;

public class Main {
  public static void main (String[] argv) {
    Options options = new Options();
    CommandLineParser parser = new DefaultParser();
    try {
      CommandLine line = parser.parse(options, argv); // Sensitive
    }
  }
}
</pre>
<p>In the case of Args4J, an issue is created on the <code>public void run</code> method of any class using <code>org.kohsuke.args4j.Option</code> or
<code>org.kohsuke.args4j.Argument</code>.</p>
<p>Such a class is called directly by <code>org.kohsuke.args4j.Starter</code> outside of any <code>public static void main</code> method. If the class
has no <code>run</code> method, no issue will be raised as there must be a <code>public static void main</code> and its argument is already
highlighted.</p>
<pre>
// === argv4J ===
import org.kohsuke.args4j.Option;
import org.kohsuke.args4j.Argument;

public class Main {
  @Option(name="-myopt",usage="An option")
  public String myopt;

  @Argument(usage = "An argument", metaVar = "&lt;myArg&gt;")
  String myarg;

  String file;

  @Option(name="-file")
  public void setFile(String file) {
    this.file = file;
  }

  String arg2;

  @Argument(index=1)
  public void setArg2(String arg2) {
    this.arg2 = arg2;
  }

  public void run() { // Sensitive: This function
     myarg.toString(); // check how this argument is used
  }
}
</pre>
<h2>Exceptions</h2>
<p>The support of Argv4J without the use of <code>org.kohsuke.argv4j.Option</code> is out of scope as there is no way to know which Bean will be used
as the mainclass.</p>
<p>No issue will be raised on <code>public static void main(String[] argv)</code> if <code>argv</code> is not referenced in the method.</p>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/88.html">MITRE, CWE-88</a> - Argument Injection or Modification </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/214.html">MITRE, CWE-214</a> - Information Exposure Through Process Environment </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
</ul>
<h2>Deprecated</h2>
<p>This rule is deprecated, and will eventually be removed.</p>

